Password brute-forcing is an option in Vulnerability Management and there are a few insecure configuration items that are part of VM. In addition, insecure services are discovered during VM scans, things like Telnet being open on a device. By in large those items are considered policy violations for local policies, not vulnerabilities.

If you would like to look for specific configuration items as they apply to your local policy, you can easily do that with the Policy Compliance Module.